S
Stephen Witter
I have a asp.net page that creates controls at runtime. I am also
wanting to create drop down lists at runtime that connect to a view in
sql server. I was thinking of storing either the view name of the sql
statement in a field, and using that to create the datasource for the
ddl at runtime. I was thinking I could store the connections strings
in variables since there would only be two or three. My main concern
is whether there is any security risks involved in storing sql
statments in a field, and accessing that using ado in my code. for
example:
function GetDataSource() as string
dim sql as string = "SELECT SQL_STATMENT FROM REPORT_TABLE WHERE
REPORT_ID=1"
GetDataSource=rst("SQL_STATMENT").value
end function
this would get a sql statment from the field and use it as follows:
sub BindDDL()
Dim ConnectionString As String = "server=;UID=;database=;PWD=;"
Dim CommandText As String = GetDataSource()
Dim myConnection As New SqlConnection(ConnectionString)
Dim myCommand As New SqlCommand(CommandText, myConnection)
ddl.DataTextField = "field1"
ddl.DataValueField = "field2"
myConnection.Open()
ddl.DataSource =
myCommand.ExecuteReader(CommandBehavior.CloseConnection)
ddl.DataBind()
end sub
Again, my only concern is security.
wanting to create drop down lists at runtime that connect to a view in
sql server. I was thinking of storing either the view name of the sql
statement in a field, and using that to create the datasource for the
ddl at runtime. I was thinking I could store the connections strings
in variables since there would only be two or three. My main concern
is whether there is any security risks involved in storing sql
statments in a field, and accessing that using ado in my code. for
example:
function GetDataSource() as string
dim sql as string = "SELECT SQL_STATMENT FROM REPORT_TABLE WHERE
REPORT_ID=1"
GetDataSource=rst("SQL_STATMENT").value
end function
this would get a sql statment from the field and use it as follows:
sub BindDDL()
Dim ConnectionString As String = "server=;UID=;database=;PWD=;"
Dim CommandText As String = GetDataSource()
Dim myConnection As New SqlConnection(ConnectionString)
Dim myCommand As New SqlCommand(CommandText, myConnection)
ddl.DataTextField = "field1"
ddl.DataValueField = "field2"
myConnection.Open()
ddl.DataSource =
myCommand.ExecuteReader(CommandBehavior.CloseConnection)
ddl.DataBind()
end sub
Again, my only concern is security.